Privacy Expert To Publishers: Don't Bury It In The Privacy Policy

  • by July 29, 2004
Behavioral marketing is hot and here to stay, but there is a "disconnect" between the way regulators think about privacy and the way business thinks of privacy, according to D. Reed Freeman, chief privacy officer, vice president-legislative and regulatory affairs, Claria Corp. Addressing attendees at the Jupiter Advertising Forum on Thursday, Freeman argued that -- while behavioral marketing is "wildly effective" in increasing the value of publishers' properties -- online publishers, third party vendors, and others should expect more enforcement because consumers are complaining about the lack of clear disclosure in the use of personal and non-personal data.

"There are two Americas," Freeman quipped, in reference to a phrase used often in speeches by Democratic Vice Presidential candidate John Edwards. "There's government and there's business." And where issues regarding who owns consumer data arise, the government cares about who has the information whether it's publishers, businesses, or third- parties. Freeman set out the legal and regulatory framework of pertinent issues where behavioral marketing is concerned.

Freeman said there are three types of tracking that the government cares about: tracking of site users by Web site publishers; tracking by third-parties, vendors, and consultants; and tracking of consumers by third-parties that have relationships only with those consumers, not Web sites. "The government thinks you can't just bury things in a privacy policy," Freeman said. "If a consumer would be surprised, it needs to be lifted from a privacy policy." Policies and procedures must be "clear and conspicuous" and not hidden; they must be unavoidable before a consumer hits the button.

Freeman, a former staff attorney at the Federal Trade Commission's Bureau of Consumer Protection, told attendees that the government focuses on "misuse" of data. "Misuse" is defined as a use a consumer wouldn't expect, or a use unrelated to the reason consumers offered their information. Third-party vendors can be cited for failing to disclose that they offered consumer information to other vendors. Therefore, non-disclosure agreements should be in place with all vendors, Freeman said. For the collection of non-personal information, publishers must disclose in privacy policies the names of third-parties that will have access to the data and how they will use it. Consumers must also be given the choice to opt-out.

If personal and non-personal information is merged, that action must be removed from the policy and made explicit upfront. "When you change the deal on the consumer, you must go back to ask for permission," Freeman said.

If a company tracks consumers' online behavior for its own use or the use of its advertiser clients, the company must give notice. Why? Because it's something consumers wouldn't expect. "Notice should be given by the company that collects the information before consumers take action," Freeman said, underscoring that "Disclosures can't just be buried in a privacy policy."

Freeman cited California as the first state in the country to require a privacy policy that articulates the way companies collect, track, and use personal information. Michigan, Pennsylvania, New York, and Utah have all considered legislation controlling the use of non-personal information for commercial purposes.

Federal legislation pending in Congress advances that all deceptive practices are illegal and require information collection programs to give "clear and conspicuous" notice to consumers. Freeman said that the federal legislation, if passed, should pre-empt all state legislation. Utah's Spyware Control Act has been enjoined preliminarily.

Next story loading loading..